Hotel Finder

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Camino hotel-search helper that sends your lodging search to Camino AI using your Camino API key.

Install the specific hotel-finder skill rather than the whole Camino suite unless you have reviewed the other skills. Use a dedicated Camino API key if possible, keep it private, and avoid submitting confidential addresses, private itineraries, or sensitive travel plans unless you are comfortable sharing them with Camino AI.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises and demonstrates shell execution via local scripts and curl/jq, but does not declare explicit permissions for those capabilities. This creates a transparency and policy-enforcement gap: users or hosting platforms may not realize the skill can execute shell commands and make outbound requests, reducing the effectiveness of consent and sandbox controls.

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash curl -H "X-API-Key: $CAMINO_API_KEY" \ "https://api.getcamino.ai/query?query=hotels+near+the+Eiffel+Tower&limit=5&rank=true&answer=true" ``` ## Parameters
Confidence: 80% confidence
Finding: https://api.getcamino.ai/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal